Usage of SSL in MQ Connector is very unclear or has no helpful documentation at all for Azure.

[Haritha-Nuthi]

I have seen a post from last year that it would be available soon, but didn't find that. Could ypu please help me on how to use SSL configuration on logicapps.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 42e7fab4-1469-22df-2618-b6b82b09df6d
• Version Independent ID: 4d8ae394-5c92-7949-db5f-99884de55c21
• Content: Connect to IBM MQ server - Azure Logic Apps
• Content Source: articles/connectors/connectors-create-api-mq.md
• Service: logic-apps
• GitHub Login: @ValRobb
• Microsoft Alias: valthom

[Haritha-Nuthi]

I have seen a post from last year that it would be available soon, but didn't find that. Could ypu please help me on how to use SSL configuration on logicapps

[Mike-Ubezzi-MSFT]

@Haritha-Nuthi Thank you for making us aware of this gap in our documentation. We are evaluating this issue and will provide feedback as to next steps. This issue is being assigned to an engineer and will be updated shortly.

[PramodValavala-MSFT]

@ecfan @divyaswarnkar Could you share insights on this one?

[ecfan]

@PramodValavala-MSFT, best to ask the engineering team about this one. @ValRobb, can you help elaborate on how SSL works with the MQ connector? Thanks!

[PramodValavala-MSFT]

@ecfan Thanks! Looks like I can't assign the issue to @ValRobb, so will be assigning it to you in the interim.

[ChristopherHouser]

I assume this the issue with mis-matched cipher specs. IBM MQ Server requires that you define the cipher spec to use with SSL. SslStream in .NET does not allow the cipher spec order to be specified. One option is to change the MQ Server configuration to match the first cipher spec in the suite we send in the SSL negotiation. If you try the connection, the MQ Server will log an event message indicating the connection failed because the other end was using the wrong cipher spec. The event message will contain the cipher spec that was first on our list. The cipher spec in the channel configuration can be updated to match what was in the event message.

[Haritha-Nuthi]

@ChristopherHouser : This is the way we tried for SSL in logicapps.

Installed SSL certificate in a VM and IP address of the VM was whitelisted from MQ server side. Now we could able to connect to MQ server from VM using command prompt. Now we installed a gateway in the same VM and tried connecting to MQ using the Gateway from logicapps. But Logicapp fails with error - 'The server requires an SSL connection.

Could you please let us know is this the right way to do? Also the certificate we got consists of three files Key.rdb, Key.sth, Key.kdb

[Haritha-Nuthi]

Hi team,

Do we have any updates on this?

Thanks, Haritha Nuthi

[ChristopherHouser]

If the certificate from the MQ Server is not issued by a trusted certificate authority, then it will need to be installed in the local machine’s Trusted Root Certificate Authorities store on the Windows system were the On-prem Data Gateway is running. You can use the Windows Certificate Manager to install the cert (Certmgr.msc).

[Haritha-Nuthi]

Hi @ChristopherHouser ,

After installing SSL certificate to Trusted Root Certificate Authorities store on the Windows system, still Logic app fails with error server requires SSL Connection. Do we need to provide some where in Logic app or in Gateway to pickup a particular cetificate for this particular connection?

Thanks, Haritha Nuthi

[Haritha-Nuthi]

This the exact error: MQ: Could not Connect the Queue Manager 'EBNGWT': The Server was expecting an SSL connection.

[ChristopherHouser]

Did you check that the cipher suites match? (See earlier post) The Connector does not use a cert. We only support server auth. If you have validated that the cipher suites match, then I suggest you open a support case to determine why the SSL handshake is failing.

[ashgit24]

When SSL is enabled for MQ, we need to trust the azure certificate in the remote MQ server. Can you advise which certificate of Azure's does the MQ connector uses for cert validation with MQ server during SSL handshake ?

[ecfan]

@ChristopherHouse, could you respond to the customer's last questions? Thanks!

[ChristopherHouser]

The MQ Connector does not support client authentication. So the connector does not send a certificate. Only the server certificate is validated. For connector running in Azure the server’s certificate needs to be issued by a trusted certificate authority. If the connector is running in the On-Prem Data Gateway, you can use a self-signed certificate by installing it in the local machine’s Trusted Root Certificate Authorities store on the Windows system.

[ecfan]

Hi @ashgit24,

I hope Chris's answer helped address your questions. We have a work item in progress to update the MQ topic with this information. If you have no follow-up comments, we'll close this issue. You can always add related questions to this conversation, or if you have a different question about this topic, you can create a new issue.

[ecfan]

@PramodValavala-MSFT: #please-close

[ecfan]

@ashgit24, there should be more updated info appearing tomorrow, thanks for your patience!